Feeds

Industrial security - it's not the same as IT security

Niche market potential

The Essential Guide to IT Transformation

In the past, equipment control for manufacturing processes on the shop floor tended to be carried out by discrete systems running arcane real time operating systems controlled by proprietary management systems that had no connection through to other systems.

In essence, this meant that the systems were secure, being "air locked" from everything else around them. The sensors fed information to a low-intelligence control unit that would send simple control sequences to actuators on the equipment. Sensor A shows that the temperature is too high here, actuator B opens up a little to let more coolant through, and so on.

If sensors sensed that something was way out of line, the controller just shut everything down for that piece of equipment. Problems only happened when there was a controller, sensor or actuator failure, and an engineer would be called in to physically replace the controller itself.

However, the drive for "IP everywhere" has started to bring such controls into the standard IT environment, and has introduced a new set of issues for the production line management, as well as the IT department.

For a start, many of these systems will have been in place for many years, and on the tried and tested principle of "if it isn't broken, don't fix it", the production line manager will not take kindly to anyone coming in and trying to replace any controllers, sensors and actuators, nor to "upgrade" them with additional pieces of technology to make them more amenable to being included in the overall IT environment.

Furthering the same principle, many of these controllers will not have had their internal software or firmware updated for years, leading to many different versions of systems being in place. However, as new equipment comes in, the pressure builds to include older equipment into the new systems, ensuring that the end-to-end process can be fully controlled - and that any failure along the line can be better managed by throttling back the whole production line moving part of the process to another machine, or whatever.

Once the systems have been brought in to an IP environment, however, the main issue that raises its head is security. Whereas the old air locked systems were inherently secure, requiring someone on-site with in-depth knowledge of the existing proprietary system to have any idea as to how to control it, the new systems can be accessed through standard tools over IP from anywhere in the world - if security is not applied in the correct manner.

At the basic level, this seems to be the same requirements as for a standard IT network - there is the need to stop outsiders from breaking in to the environment and gaining control, to stop disgruntled people on site from sabotaging the process, and to safeguard against accidental damage by workers.

But the shop floor tends not to be the same as other parts of the IT empire. We're not looking at highly standardised operating systems, at SNMP (simple networking management protocol) events that can be easily captured, at highly manageable end points that can be accessed directly through existing systems management tools.

Also, where we have a problem in the general IT infrastructure and we call in an engineer who will need to be able to trace through the infrastructure to identify root cause, on the production line, we will generally know what the root cause is, and any engineer coming in will be pointed to a specific piece of equipment with the instruction to fix it - yet our new environments will enable any problems that this engineer may introduce into the system to have knock on effects all the way through the entire process.

Therefore, a different approach to industrial security is required. We have to have a solution that is as unobtrusive as possible, that integrates directly into existing control systems that understands the levels of granularity that are required to provide the security that we need, and yet can enable the IT department to see the overall environment as part of the main IT infrastructure.

One such company that does this is Innominate, a German company that provides "embedded" security solutions aimed fairly and squarely at the industrial sector. Its mGuard solution provides a non-intrusive solution that not only gives on-site security against malicious and accidental problems, but also gives full virtual private network (VPN) access that ties in directly with the rest of the security solution so that external engineers can access equipment remotely - so providing faster response and cheaper fixes for problems where on-site presence is not required.

Other areas covered by Innominate include operating system agnostic anti-virus, and high availability redundant firewalls with fail over to maintain up time for remote access.

There are others in the market - Siemens and IBM both provide solutions via their professional services groups, and are increasingly building IP and security directly into industrial solutions.

Innominate is focused purely on this market - and seems to really understand what it is doing. However, it is a small company, and must manage its growth carefully. Its target market is large on a worldwide basis, and there are few players. This points towards the possibility of high growth - but this could also stretch the company's capabilities if not handled correctly. Innominate could also rapidly become a takeover target and this would also need careful handling to ensure that existing customers are fully supported while prospects are made to feel that the future is secure. Such a takeover could, paradoxically, provide the long-term stability for customers that may not be so apparent within a smaller company.

Overall, Quocirca believes that industrial security has to be dealt with - and that the growth of new equipment that has IP built directly into it means that it is becoming harder to disregard existing systems. As soon as a company looks at connecting two pieces of equipment together in a control sense, then security will have to be considered.

Copyright © 2007, Quocirca

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.